Cloud Computing | Feature
7 Keys to a Successful Cloud Contract
A college attorney explains seven legal issues that institutions need to consider before signing a cloud computing contract.
- By Dian Schaffhauser
Moving some aspect of your campus IT operations to the cloud won't eradicate your worries about that function. But a well-considered contract can go a long way to mitigating your concerns, according to Steve McDonald, general counsel for Rhode Island School of Design.
Since the typical cloud deal starts with a form contract from a vendor, it's essential that colleges and universities review it to ensure it reflects the actual business terms that have been agreed. Otherwise, "it likely will include only the vendor's standard terms, which probably won't be the complete deal and probably won't favor you," McDonald noted.
McDonald thinks of a contract as "the owner's manual of the relationship." Ideally, he said, "the contract spells out exactly how everything is supposed to work, and who does what and when." The more you can hash out potential problems before the contract is signed, the less likely there will be a dispute later on. And if there is a dispute, explained McDonald, "the easier it is to solve, because you can point to the relevant provision and say, 'Here's what needs to happen.'"
To ensure that you get off on the right legal footing, here are seven areas worth thinking about.
1. FERPA and Other Data Privacy
McDonald can tell if a representative from a cloud vendor is new to higher education as soon as the conversation turns to the Family Educational Rights and Privacy Act. "Their first question is, 'What's FERPA?'" noted McDonald. "If they don't already know that, chances are they haven't built FERPA compliance into their system, and that's a big concern. We can't outsource student data to someone who can't comply with FERPA."
Since FERPA deals with the privacy of student records, the contract must allocate responsibility and liability for maintaining that privacy, McDonald explained. The same concern will arise with medical records, financial records, credit card records, and other forms of personal information protected under state statutes. The contract must convey the idea that the vendor will comply with the regulations on behalf of your institution. Plus, the contract should specify who's responsible or liable in the event of a data breach.
"If we're hiring somebody to do something, we're hiring them to do it right," explained McDonald. "If they don't, that ought to be their responsibility, and they ought to say it's their responsibility." But the first draft of a contract isn't always written that way.
Handing over an IT operation to a cloud service provider doesn't release you from having to respond to discovery requests in the event of litigation. However, many people believe that, if they've ever possessed something that could be pertinent to a case, they have to be able to go back and get it. "That's not true," said McDonald. "There's nothing in the discovery rules that requires you to keep everything forever. The other side can get only whatever happens to exist at that point."
If it's an "ephemeral transaction, you don't need to keep it at all," continued McDonald. On the other hand, if there is data that might be important from a legal perspective and will be around for a length of time—or even if the vendor just didn't get rid of it—then you'll want to think through how to respond to discovery requests. Make sure the contract provides for tools in the cloud service system that will enable you to find the data or files you need, and specifies whether the vendor will help you find what you need.
"If you don't know the answer to that, it will be much harder and take much longer to solve when you get the discovery request," McDonald pointed out. "At the very least, you want to know how your data is being stored and for how long, and whether you have a say in that."
3. Export Controls
Research universities especially will want to consider the impact of storing data in the cloud that are subject to export controls. These are US laws that regulate what can and cannot be exported for reasons of national security.
If data is being stored in the cloud and the vendor keeps that data in centers around the world, this arrangement might conflict with export controls. Such a setup will be particularly problematic "if the data is not maintained in an encrypted form," noted McDonald. "It might be illegal for that data to be in a foreign country." Even if it's not, he pointed out, the country where it's located "might have rights to access that data under its own laws, and that might be a problem for you as well."
From a practical standpoint, it might not be a problem if the data is encrypted both in transmission and in storage, "so even the vendor can't tell what it is," added McDonald.
4. Responsibility for End Users
Some cloud service vendors want schools to assume responsibility for everything their users do. This may not be problematic with respect to staff and faculty, especially if they already receive liability protection on campus. What concerns McDonald about some cloud contracts is when a school is expected to assume responsibility for the actions of its students. Under this scenario, students could easily sign up directly for the service as individuals, but the liability shifts from the vendor to the institution. "If students signed up over the internet on their own, it should be the vendor's problem if they did something that created liability, not yours," McDonald claimed.
There are a variety of ways to handle this part of the agreement. At one end of the spectrum, the institution might push for contract language that says it'll use "best efforts to ensure that users comply." Better yet would be to promise "reasonable efforts." Still better, said McDonald, "Don't do anything, but tell the students what their obligations are," and leave enforcement to the vendor.
"As you negotiate, you'll probably end up somewhere in the middle of that spectrum, but it's important to push because you're taking on liability that you wouldn't have otherwise," McDonald explained.
5. Choice of Jurisdiction
Every agreement from a service provider will specify where disputes will be handled. Typically, vendors will indicate their own geographical location. But, noted McDonald, "public universities may not--even if they wanted to--be allowed to agree to that." Besides, he added, why should they give the home court advantage to the vendor?
One approach is to provide that any lawsuit between the parties be filed in the jurisdiction of the defendant, whichever that may turn out to be. "It's mutual and therefore fair," said McDonald, "but it also encourages the parties not to go to a lawsuit, at least not right away."
McDonald is a fan of this particular approach. "While I'm negotiating the contract, I have no idea who's going to file a lawsuit, so it doesn't give anyone the advantage," he explained. "But down the road, if I think I might want to be a plaintiff, I'm probably going to try harder to resolve this informally before filing a lawsuit, because it's going to be inconvenient for me."
6. The End of the Contract
The contract needs to spell out what happens when the agreement ends, either because it has expired or the deal has been terminated. There are two aspects to address: One is access to the data in a usable form--not a proprietary format--and the other is how long the transition period should last. It's probable that the standard vendor contract will simply say that, in the event that the agreement is terminated, "you can have your data back." It needs to specify the format and the timeframe.
As an example, McDonald cites RISD's transition of e-mail to a common cloud service provider. During contract negotiations, McDonald asked his school's IT department how long it would need to replace the service if the vendor went away? Their response: Ideally, a year, because it's not easy to build an e-mail system from scratch. At minimum, they would have needed six months to line up another vendor and manage the transition.
7. Terms that are Modifiable at Will
"Gotcha" legal phrases are a major reason to forge a tight relationship with your institution's lawyers and to give them plenty of time to review cloud service agreements. McDonald recalled one IT contract that had a "bunch of nice-sounding terms," but at the end included a proviso that "we the vendor can change the terms of service in our discretion upon notice." In effect, he explained, there wasn't really an agreement on any of those terms in the first place.
When McDonald raised the issue, the vendor's answer was, "Well, we need that one because we need the flexibility to make changes." McDonald replied that the language made the whole document pointless. He recalled throwing the contract dramatically on the floor and declaring, "Why are we even talking about this? It's meaningless."
It was all just lawyer head-butting, but it worked. In the end, the two parties came up with alternative text that allowed the vendor to improve its service without the school's permission. "But if they wanted to change the legal terms of the relationship, it needed mutual agreement," noted McDonald. "Otherwise, it's not really a contract."
A Cloud Service Contract in Progress
Members of two organizations--The Common Solutions Group and the National Association of College and University Attorneys--in 2010 released a jointly developed draft of a model agreement that colleges and universities can consider for obtaining cloud services. The goal is to develop standard language upon which schools could "base their engagements with vendors of outsourced collaboration services, including e-mail." Educause makes the document available online, along with a model request for proposal and a summary of issues related to both.